Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Sneaking a peek on Wlan in airports
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Fri, 18 May 2007 12:04:56 -0700


Some comments below inline 

While I agree that one should try to leave conjecture alone 
and just "answer the question," it's not always that easy to 
do.  Most of the people on this list (well, ones that post 
anyway) are detail oriented, technical, pedantic people.  It 
comes with the job.  So when you see a question that's just 
"not quite right," you have to ask the obvious "how did you 
get here from there" 
questions, particularly when the scenarios smack of white lie.

I'm not disagreeing with your viewpoint, I personally agree. You do have to
bear in mind however that as the list moderator my main focus is to foster
new and interesting discussions and keep the flaming to a minimum. So you'll
see me let through even one-line responses or repeats of information because
at least they took the time (however small) to respond. With somewhere above
15k subscribers to pen-test there are a *lot* of different ways one could
answer what seems a simple question and I'm hoping that the lurkers out
there will chime in. Besides, there are only so many times I can see another
"how do I do X" without groaning when a simple list archive search or 5
minutes on google would have answered. But, since the answers may be new
info to list newcomers I let those go through. I've been in the industry a
long time but every now and then someone points out a tool/method/view that
is illuminating or intriguing in response to a question that had been asked
and answered many times before. 

The simple "what would you do" question brings a lot with it. 
 Personally, it is painfully obvious (or should be) to anyone 
that people will use unsecured, public networks in insecure 
ways.  Being surprised by seeing a
POP3 username/password on a wlan is a "red flag" in itself.  
To have an apparent pen-tester working for PWC post to a list 
asking what he should do in such a case is simply suspect (to 
me, anyway) - so I think it is natural for people to ask WTF?

True. But my effort is to have WTF addressed constructively and avoid
responses which consist of only the WTF ;)
 I would much rather see someone say "I was sniffing traffic 
on a wireless network."  If the "my laptop came out of hibernation" 
scenario is true, then the real lesson should be "if you are 
a professional pen-tester for PWC, you should not, under any 
circumstances, have your laptop set to automatically connect 
to the first unsecured wireless lan it comes across."  The OP 
was (obviously) performing a sniff on another wireless 
network before, presumably as part of a pen-test, and just 
put his lappy into hibernation.  In such a case, 
automatically having his laptop connect to an unsecured 
network could actually have resulted in a breech of 
the data he was previously testing.   The question therefore 
is not "what do 
I do when, gasp, I see a pop3 password" but rather "is this 
the way PWC trains their pen-testers, and is this the way PWC 
goes about protecting their customer's confidential data?"

And the above is a great response and example of going beyond the WTF. Other
list member may now have a "oh, that's a good point. I should pay attention
and not do this in the future because of those reasons". These are things
people with a lot of experience take for granted as obvious but as you know,
sometimes you have to point out the pink elephant in the room... Or in this
case provide a diagram of what a pink elephant looks like.

That being said, when you see POP3 password, SMTP mail data, 
HTTP base64 encoded basic authentication data on an unsecured 
wlan, the obvious thing to do is see if it gets you free porn somehow.

Heh. I thought that was standard operating procedure in the pen-tester
manual listed right after "Find nearest source of caffeine and hook up the

Erin Carroll
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]